Yahoo Mail hacked: quite some users hit, XSS exploit used by hacker
The Next Web reports that over the course of the weekend, people started reporting they had their Yahoo Mail hacked. Apparently, when clicking a malicious link in an email, and a user’s details are sent to a website, where the cookie details are captured. The cookie details are later used in a browser session to act like the victim, which the Yahoo Mail client accepts – the hacker now has access to the victims inbox.
Here’s a video made by Shahin Ramezany (Twitter: abyssec) who apparently executed the hack himself, using an XSS vulnerability that can be exploited in all major browsers:
He’s put up a tweet about the vulnerability, and will not post the proof of concept of the hack until Yahoo has fixed the vulnerability.
Quote from The Next Web:
Update at 1:45PM EST: “We’ve been looking into it and the US have now confirmed that they are investigating too,” a Yahoo spokesperson in the UK told TNW. “They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately.”
It’s been said before but I will say it again: never click links in emails from sources that are either unknown and/or untrusted. One click might get your email account compromised, or certain sensitive data (personal or financial) made available to malicious folks who would like to do actual harm.